Oberthur's card now is undergoing testing for compliance with FIPS-140-2 Cryptographic Module Validation Program to ensure it still conforms to the security requirements.

"It looks as though we will have some cards make it all the way through the process [by] early February," said Curt Barker, NIST's PIV program manager. "By having a precertified card, it means the application has been approved; so when CMVP people look at it, they are looking at a stable configuration, and they are looking at stable product."

Because smart cards that include the PIV application are cryptographic modules, the conformance to FIPS-140-2 needs to be re-examined to make sure continues to conform, Barker said. He estimated that completion of the CMVP validation would take six to eight weeks.

Barker added that Oberthur's card has already started the CMVP validation process.

Other cards, including one from GemPlus SA of Luxembourg, are also being tested, industry experts said.

Once validated for FIPS-201 and FIPS-140-2, cards must go through interoperability testing at labs sponsored by the General Services Administration before agencies can purchase them. GSA officials have said they plan to begin testing by late spring.

NIST eventually also will list preapproved middleware products on the Web site.